
United States Patent and Trademark Office 



UNITED STATES DEPARTMENT OF COMMERCE 
United States Patent and Trademark Office 
Address: COMMISSIONER FOR PATENTS 
" P.O. Box 1450 

Alexandria, Virginia 22313-1450 

www.u5pt0.gov 



APPLICATION NO. 


FILING DATE 


FIRST NAMED INVENTOR 


ATTORNEY DOCKET NO. 


CONFIRMATION NO, 


09/847,037 


04/30/2001, 


Brian T. Murren 


GE1-003US 


5208 



21718 7590 

LEE & HAYES PLLC 
SUITE 500 
421 W RIVERSIDE 
SPOKANE, WA 99201 



1 1/03/2004 



EXAMINER 



SON, LINH L D 



ART UNIT 



PAPER NUMBER 



2135 

DATE MAILED: 1 1/03/2004 



Please find below and/or attached an Office communication concerning this application or proceeding. 



PTO-90C (Rev. 10/03) 



r 

Office Action Summary 


Application No. 

09/847,037 


Applicant(s) 
MURREN ETAL 


examiner 
Linh Son 


Art Unit 

2135 





- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
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DETAILED ACTION 

Claim Rejections - 35 USC § 101 

1. 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of 
matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the 
conditions and requirements of this title. 

1. Claims 1-7 are rejected under 35 U.S.C. 101 because the claimed invention is 

directed to non-statutory subject matter. Claims 1-7 consist solely of computer 

program, which is nonstatutory functional descriptive material. 



Claim Rejections - 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351(a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 

2. Claims 1-5, 8-14, 16, 19-23, 26-29, 31-32, and 34-39 are rejected under 35 
U.S.C. 102(e) as being anticipated by Gong, US Patent 6047377, hereinafter '377. 



3. As per claim 1, "A system comprising: a pluggable security policy enforcement 
module configured to be replaceable in the system and to provide different granularities 
of control for a business logic in the system, wherein the business logic processes 
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requests submitted to the system" is taught in '377 (Col 2 lines 23-43 and Col 1 lines 
53-65). 

4. As per claims 2 and 16, "A system as recited in claims 1 and 8, wherein the 
different granularities of control comprise a plurality of sets of rules that can be replaced 
with each other without altering the business logic" is taught in '377 (Col 6 lines 12-54). 

5. As per claims 3, "A system as recited in claim 1 , wherein the pluggable security 
policy enforcement module is further configured to determine, for a particular granularity 
of control, whether to permit an operation, requested by a user based, based at least in 
part on a permission assigned to the user" is taught in '377 (Col 6 lines 12-19, and Col 
12 line 65 to Col 13 line 34). 

6. As per claims 4, 20 and 27, "A system as recited in claims 1,19, and 26, wherein 
the pluggable security policy enforcement module includes a control module configured 
to determine whether to permit an operation based at least in part on accessing the 
business logic to identify one or more additional tests to perform, and further configured 
to perform the one or more additional tests" is taught in '377 (Fig 4 #480, and Col 13 
lines 59-65, and Col 18 lines 30-45). 
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7. As per claims 5, 21 , 29, and 34, "A system as recited in claims 4, 20, 27, and 33, 
wherein the control module is further configured to return a result of the determining to 
the business logic" is taught in '377 (Col 19 lines 19-35). 

8. As per claims 8, "One or more computer-readable media comprising computer- 
executable instructions that, when executed, direct a processor to perform acts 
including: receiving a request to perform an operation" is taught in '377 (Col 4 lines 15- 
30, and lines 45-60, and Col 18 lines 29-45); "checking whether to access a business 
logic in order to generate a result for the requested operation; obtaining, from the 
business logic, a set of zero or more additional tests to be performed in order to 
generate the result; performing each additional test in the set of tests if there is at least 
one test in the set of tests; checking a set of pluggable rules to determine the result of 
the requested operation; and returning, as the result, a failure indication if checking the 
business logic or checking the set of pluggable rules indicates that the result is a failure, 
otherwise returning, as the result, a success indication" is taught in '377 (Col 18 line 30 
to Col 19 line 35). 

9. As per claim 9, "One or more computer-readable media as recited in claim 8, 
wherein the receiving comprises receiving, from the business logic, the request to 
perform the operation" is taught in '377 (Col 19 lines 25-35). 
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10. As per claim 10, "One or more computer-readable media as recited in claim 8, 
wherein the receiving comprises receiving, as part of the request, an indication of a 

user, and wherein the checking the set of pluggable rules comprises comparing an 
object associated with the user to the rules in the set of pluggable rules and determining 
whether the operation can be performed based at least in part on whether the user is 
permitted to perform the operation" is taught in '377 (Col 34-55). 

11. As per claim 1 1 , "One or more computer-readable media as recited in claim 8, 
wherein the receiving comprises having one of a plurality of methods invoked" is taught 
in '377 (Col 6 lines 27-45, and Col 19 lines 4-35). 

12. As per claim 12, "One or more computer-readable media as recited in claim 8, 
wherein the set of pluggable rules is a set of security rules defined using high-level 
permission concepts" is taught in '377 (Col 6 lines 28-45). 

13. As per claims 13, 22, 32, and 37, "One or more computer-readable media as 
recited in claims 12, 19, 31, and 36, wherein the high-level permission concepts include 
an operation and a context, wherein the operation allows identification of an operation to 
be performed and the context allows identification of what the operation is to be 
performed on" is taught in '377 (Col 6 line 57 to Col 7 line 28). 
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14. As per claim 14, "One or more computer-readable media as recited in claim 8, 
wherein the computer-executable instructions are implemented as an object" is taught in 
'377 (Col 6 lines 25-45). 

15. As per claims 16, 28, and 38, "One or more computer-readable media as recited 
in claims 8, 27, and 35, wherein the set of pluggable rules can be replaced with another 
set of pluggable rules without altering the business logic" is taught in '377 (Col 2 lines 
23-50). 

16. As per claim 19, "A method comprising: providing high-level permission concepts 
for security rules; allowing a set of security rules to be defined using the high-level 
permission concepts, wherein the set of security rules allows permissions to be 
assigned to users of an application; and determining, based at least in part on a 
permission assigned to a user, whether to permit an operation based on a request by 
the user" is taught in '377 (Col 13 lines 8-55). 

17. As per claim 23, A method as recited in claim 19, "wherein the method is 
implemented in an object having a plurality of interfaces for requesting a determination 
as to whether to permit a plurality of operations including the operation requested by the 
user" is taught in '377 (Col 13 lines 8-55). 
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18. As per claim 26, "A method comprising: receiving a request to perform an 
operation; accessing a set of low-level rules, wherein the low-level rules are defined in 
terms of high-level concepts; checking whether a user requesting to perform the 
operation is entitled to perform the operation based at least in part on the set of low- 
level rules; and returning an indication of whether the operation is allowed or not 
allowed" is taught in '377 (Col 6 line 56 to Col 7 line 27). 

19. As per claim 31 , "A method comprising: assigning high level security concepts to 
an application domain; and allowing a set of pluggable rules to define low-level rules, in 
terms of the high level security concepts, for different business logic in the application 
domain" is taught in '377 (Col 6 lines 20-45, and Col 20 lines 4-58). 

20. As per claim 35, "An architecture comprising: a plurality of resources; a business 
logic layer to process, based at least in part on the plurality of resources, requests 
received from a client; and a pluggable security policy enforcement module to enforce 
security restrictions on accessing information stored at the plurality of resources" is 
taught in '377 (Col 6 line 57 to Col 7 line 28, and Col 20 lines 10-58). 

21 . As per claim 36, "An architecture as recited in claim 35, wherein the pluggable 
security policy enforcement module defines high-level permission concepts for security 
rules and further defines a set of security rules using the high-level permission 
concepts" is taught in '377 (Col 6 line 57 to Col 7 line 28). 
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22. As per claim 39, "An architecture as recited in claim 35, wherein the pluggable 
security policy enforcement module is configured to determine, based at least in part on 
a permission assigned to a user and on one or more additional tests identified by 
accessing the business logic layer, whether to permit an operation to access information 
at the plurality of resources" is taught in '377 (Col 13 lines 7-56). 

Claim Rejections - 35 USC § 103 

23. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

24. Claims 6-7, 15, 17-18, 24-25, 30, and 33 are rejected under 35 U.S.C. 103(a) as 
being unpatentable over '377 in view of Miller, US Patent No. 5265221 , hereinafter '221 . 

25. As per claims 6, 17, 24, and 30, "A system as recited in claims 1,8, 19, and 26, 
wherein the different granularities of control comprise a plurality of sets of rules, and 
wherein each set of rules includes a plurality of permission assignment objects" is 
taught in '377 (Col 18 line 30 to Col 19 line 35). However, each of the permission 
assignment objects associates a user with a particular role, wherein each particular role 
is associated with one or more permissions, and wherein each of the one or more 
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permissions identifies a particular operation and context on which the operation is to be 
performed" is not taught clearly in '377. In '377, the invention only discloses a security 
system implemented in an environment with multiple domain of operation to execute 
business logic operation regardless of the source of the request. Nevertheless, "the 
permission assignment objects associates to a user with a particular role, wherein each 
particular role is associated with one or more permissions, and wherein each of the one 
or more permissions identifies a particular operation and context on which the operation 
is to be performed" is taught clearly in '221 (Col 4 line 57 to Col 5 line 62). Therefore, it 
would have been obvious at the time of the invention was made for one having ordinary 
skill in the art to incorporate the user's permission with a particular operation and 
context before the security objects are implemented to authorize and permit the 
business logic operation. The incorporation will add an additional layer of security to the 
business logic operation domain. 

26. As per claims 7, 18, and 25, "A system as recited in claims 6, 17 and 24, wherein 
each of the permission assignment objects further identifies whether the one or more 
permissions in the particular role are granted to the user or denied to the user" is taught 
in '221 (Col 5 line 65 to Col 6 line 27). 

27. As per claims 15 and 33, "One or more computer-readable media as recited in 
claims 8 and 31" is taught in '377. However, "the computer-executable instructions 
further direct the processor to perform acts including: determining if at least one of the 
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tests in the set of zero or more additional tests would indicate a result of failure; and 
returning, as the result, the failure indication without checking the set of pluggable rules" 
is not taught in '377. The invention in '377 only discloses the method of utilizing the 
pluggable rules (Col 20 lines 4-58). Nevertheless, the invention in '221 discloses 
another layer of security rules before the pluggable rules layer, which is the user 
authentication (Col 4 line 57 to Col 5 line 62). Therefore, it would have been obvious at 
the time of the invention was made for one having ordinary skill in the art to incorporate 
the user authentication mechanism in '221 with the pluggable rules to authorize the 
execution of the business logic request. The additional layer provides another layer of 
security, which will strengthen the system. 

Conclusion 

1 . Any inquiry concerning this communication from the examiner should be directed 
to Linh Son whose telephone number is (571 )-27 1-3856. 

2. If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor Kim Y. Vu can be reached at (571)-272-3859. The fax numbers for 
this group are (703)-872-9306 (official fax). Any inquiry of general nature or 
relating to the status of this application or proceeding should be directed to the 
group receptionist whose telephone number is (571)-272-2100. 
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3. Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval IPAIR.I system. Status information for 
published applications may be obtained from either Private PMR or Public PMR. 
Status information for unpublished applications is available through Private PMR 
only. For more information about the PAIR system, see http://pzr- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 



Patent Examiner 



Linh LD Son 




28. 



